Vulnerabilities for Sale

2014 showed that vulnerabilities could be found in all applications – both Heartbleed and Shellshock caught system administrators off-guard by revealing that open-source server applications could have severe vulnerabilities as well.

The reality is that making software that is free from vulnerabilities is difficult and expensive, if not completely impossible. For every thousand lines of code, you can expect to find 15 to 50 errors of some kind. Maybe you can get that error rate down for truly critical applications like space exploration, but that adds time and money to the costs of software development.

It used to be that vulnerabilities that were found were reported to developers so that they could be fixed and as many users as possible could be protected. However, more and more vulnerabilities are being discovered by companies that sell this information to the highest bidder.

This doesn’t help anyone – except the companies engaged in buying and selling these vulnerabilities. Developers can’t fix their products, users are left at risk, and the security community at large is left in the dark about today’s threats. The Internet, as a whole, is less safe.

It shouldn’t be a surprise that some governments are already trying to control these markets. Last year, the Wassenaar Arrangement considered exploit code to fall under the new category of “intrusion software”; items covered by the Arrangement are considered to be “dual-use” (i.e., both military and civilian applications). This means that the 41 member countries of the Arrangement may subject these items to export controls. In fact, this year’s would-be attendees of Pwn2Own were asked to check with their lawyers if export authorization or government notification was necessary before they could participate.

Of course, researchers who discover vulnerabilities want to be compensated for their efforts as well. There are ways to do this without selling vulnerabilities on the open market. Major sites and vendors already pay bug bounties to researchers who find vulnerabilities in their products. There are ways to ensure that researchers are compensated without putting vulnerabilities on the open market.

We can’t force companies or individuals to stop buying or selling vulnerabilities, but what we can do is dry up the supply. By creating more secure products that contain fewer vulnerabilities and do a better job of mitigating those that are present, we make the Internet safer for everyone.